This 4 router topology below will be used to demonstrate how it can be implemented.
R1
hostname R1
interface FastEthernet0/0
ip address 10.1.123.1 255.255.255.0
no shut
!
ip route 0.0.0.0 0.0.0.0 10.1.123.23
R2
hostname R2
interface FastEthernet0/0
ip address 10.1.123.2 255.255.255.0
standby 1 ip 10.1.123.23
standby 1 priority 105
standby 1 preempt
standby 1 name HSRP-123
standby 1 track FastEthernet0/1
no shut
!
interface FastEthernet0/1
ip address 20.1.234.2 255.255.255.0
standby 1 ip 20.1.234.23
standby 1 priority 105
standby 1 preempt
standby 1 track FastEthernet0/0
no shut
!
R3
hostname R3
interface FastEthernet0/0
ip address 10.1.123.3 255.255.255.0
standby 1 ip 10.1.123.23
standby 1 preempt
standby 1 name HSRP-123
no shut
!
interface FastEthernet0/1
ip address 20.1.234.3 255.255.255.0
standby 1 ip 20.1.234.23
standby 1 preempt
no shut
!
R4
hostname R4
service tcp-small-servers
interface FastEthernet0/1
ip address 20.1.234.4 255.255.255.0
no shut
!
ip route 0.0.0.0 0.0.0.0 20.1.234.23
R2 by default will be the active HSRP router on Fa0/0 and Fa0/1 due to the priority being set to 105. Should the corresponding interface go down, the priority will be decremented to 95 meaning R3 will take over
R2#sh standby brief
P indicates configured to preempt.
|
Interface Grp Pri P State Active Standby Virtual IP
Fa0/0 1 105 P Active local 10.1.123.3 10.1.123.23
Fa0/1 1 105 P Active local 20.1.234.3 20.1.234.23
R3#sh standby brief
P indicates configured to preempt.
|
Interface Grp Pri P State Active Standby Virtual IP
Fa0/0 1 100 P Standby 10.1.123.2 local 10.1.123.23
Fa0/1 1 100 P Standby 20.1.234.2 local 20.1.234.23
P indicates configured to preempt.
|
Interface Grp Pri P State Active Standby Virtual IP
Fa0/0 1 105 P Active local 10.1.123.3 10.1.123.23
Fa0/1 1 105 P Active local 20.1.234.3 20.1.234.23
R3#sh standby brief
P indicates configured to preempt.
|
Interface Grp Pri P State Active Standby Virtual IP
Fa0/0 1 100 P Standby 10.1.123.2 local 10.1.123.23
Fa0/1 1 100 P Standby 20.1.234.2 local 20.1.234.23
So lets test it (we aren't doing NAT yet but both R1 and R4 have default routes pointing to the Virtual-IP on their LAN segments)
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.1.234.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/8/12 ms
Okay, lets bring down R2 Fa0/1 - this should cause R3 on both Fa0/0 and Fa0/1 to take over. R3 Fa0/1 since R2's hellos will have stopped and, R3 Fa0/0 since R2 will decrement its Fa0/0 priority to be less than R3s and we have preempt enabled.
R2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#int fa0/1
R2(config-if)#shut
*Mar 1 00:23:56.335: %HSRP-5-STATECHANGE: FastEthernet0/1 Grp 1 state Active -> Init
*Mar 1 00:23:58.343: %LINK-5-CHANGED: Interface FastEthernet0/1, changed state to administratively down
*Mar 1 00:23:59.343: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down
R2(config-if)#do sh standby brief
P indicates configured to preempt.
|
Interface Grp Pri P State Active Standby Virtual IP
Fa0/0 1 95 P Standby 10.1.123.3 local 10.1.123.23
Fa0/1 1 105 P Init unknown unknown 20.1.234.23
R3#sh standby brief
P indicates configured to preempt.
|
Interface Grp Pri P State Active Standby Virtual IP
Fa0/0 1 100 P Active local 10.1.123.2 10.1.123.23
Fa0/1 1 100 P Active local unknown 20.1.234.23
R1#ping 20.1.234.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.1.234.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/8/12 ms
Okay, so HSRP is working as we want it. Let's introduce stateful NAT.
In order for us to use stateful nat we need to configure a stateful nat instance on our routers and we need to give each router a unique id. In this example I'm just using the router number as the id.
R2(config-if)#ip nat stateful id 2
next we specify the name of the HSRP group that we are tracking, in this case it's "HSRP-123" which is we configured on Fa0/0 on R2 and R3
R2(config-ipnat-snat)#redundancy HSRP-123
then we need to set a mapping-id which is global for synchronisation.
R2(config-ipnat-snat-red)#mapping-id 23
Now we create a typical dynamic NAT entry. I tend to find that using a route-map with an ACL works more often than directly using the ACL
R2(config)#ip access-list standard R1
R2(config-std-nacl)#permit host 10.1.123.1
R2(config-std-nacl)#exit
R2(config)#route-map NAT-R1
R2(config-route-map)#match ip address R1
R2(config-route-map)#exit
Then we set up our NAT pool and then the NAT statement, notice we set the mapping-id to be the same as the one in our stateful NAT entry
R2(config)#ip nat pool NAT-POOL 222.222.222.222 222.222.222.222 prefix-length 24
R2(config)#ip nat inside source route-map NAT-R1 pool NAT-POOL mapping-id 23
Now set the inside and outside nat interfaces
R2(config)#int fa0/0
R2(config-if)#ip nat inside
R2(config)#int fa0/1
R2(config-if)#ip nat outside
R2(config)#end
The stateful NAT configuration is the exactly the same procedure for R3, however the stateful id must be unique.
R3(config-ipnat-snat)#redundancy HSRP-123
R3(config-ipnat-snat-red)#mapping-id 23
R3(config)#ip access-list standard R1
R3(config-std-nacl)#permit host 10.1.123.1
R3(config-std-nacl)#exit
R3(config)#route-map NAT-R1
R3(config-route-map)#match ip address R1
R3(config-route-map)#exit
R3(config)#ip nat pool NAT-POOL 222.222.222.222 222.222.222.222 prefix-length 24
R3(config)#ip nat inside source route-map NAT-R1 pool NAT-POOL mapping-id 23
R3(config)#int fa0/0
R3(config-if)#ip nat inside
R3(config)#int fa0/1
R3(config-if)#ip nat outside
R3(config)#end
Shortly after that we'll see a message about stateful NAT converging...
*Mar 1 00:21:27.587: %SNAT-5-PROCESS: Id 3, System start converging
*Mar 1 00:21:46.271: %SNAT-5-PROCESS: Id 3, System fully converged
We can check that redundancy is correct by invoking "show ip snat distributed"
R2#sh ip snat distributed
Stateful NAT Connected Peers
SNAT: Mode IP-REDUNDANCY :: ACTIVE
: State READY
: Local Address 10.1.123.2
: Local NAT id 2
: Peer Address 10.1.123.3
: Peer NAT id 3
: Mapping List 23
R3#sh ip snat distributed
Stateful NAT Connected Peers
SNAT: Mode IP-REDUNDANCY :: STANDBY
: State READY
: Local Address 10.1.123.3
: Local NAT id 3
: Peer Address 10.1.123.2
: Peer NAT id 2
: Mapping List 23
So let's test things:
R4#deb ip icmp
ICMP packet debugging is on
R1#ping 20.1.234.4 repeat 1
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 20.1.234.4, timeout is 2 seconds:
!
Success rate is 100 percent (1/1), round-trip min/avg/max = 12/12/12 ms
R4#
*Mar 1 00:30:45.951: ICMP: echo reply sent, src 20.1.234.4, dst 222.222.222.222
R4 thinks it was pinged by 222.222.222.222 so NAT is working fine.
If we check the translation entries we can see that R2 and R3 are in alignment
R2#sh ip nat tr
Pro Inside global Inside local Outside local Outside global
icmp 222.222.222.222:8 10.1.123.1:8 20.1.234.4:8 20.1.234.4:8
R3#sh ip nat tr
Pro Inside global Inside local Outside local Outside global
icmp 222.222.222.222:8 10.1.123.1:8 20.1.234.4:8 20.1.234.4:8
So let's test that the stateful NAT is working. The easiest way to verify it is to have a TCP stream between R1 and R4. R4 has service tcp-small-servers in its configuration which means the chargen service on port 19 is listening.
R1#telnet 20.1.234.4 19
Trying 20.1.234.4, 19 ... Open
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefg
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefgh
"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghi
#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghij
$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijk
........
R4 will keep sending traffic forever...
So lets check the NAT tables
R2#sh ip nat tr
Pro Inside global Inside local Outside local Outside global
tcp 222.222.222.222:61143 10.1.123.1:61143 20.1.234.4:19 20.1.234.4:19
R3#sh ip nat tr
Pro Inside global Inside local Outside local Outside global
tcp 222.222.222.222:61143 10.1.123.1:61143 20.1.234.4:19 20.1.234.4:19
Let's shutdown interface fa0/1 on R2 which should cause R3 to takeover in HSRP and cause a stateful NAT takeover as well..
R2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#int fa0/1
R2(config-if)#shut
SNAT: interface FastEthernet0/1 with address 20.1.234.2 is down
R2(config-if)#
%HSRP-5-STATECHANGE: FastEthernet0/1 Grp 1 state Active -> Init
%TRACKING-5-STATE: 2 interface Fa0/1 line-protocol Up->Down
%HSRP-5-STATECHANGE: FastEthernet0/0 Grp 1 state Active -> Speak
%SNAT-5-PROCESS: Id 2, System start converging
SNAT (Receive): CONVERGENCE Message from Router-Id: 3 for Router-Id: 0's entries
%SNAT-5-PROCESS: Id 2, System fully converged
%LINK-5-CHANGED: Interface FastEthernet0/1, changed state to administratively down
%LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down
%HSRP-5-STATECHANGE: FastEthernet0/0 Grp 1 state Speak -> Standby
%HSRP-5-STATECHANGE: FastEthernet0/1 Grp 1 state Standby -> Active
SNAT Redundancy(prempt): we are in middle of FOR_ALL HSRP-123 HSRP-123
%HSRP-5-STATECHANGE: FastEthernet0/0 Grp 1 state Standby -> Active
%SNAT-5-PROCESS: Id 3, System start converging
%SNAT-5-PROCESS: Id 3, System fully converged
SNAT (Receive): CONVERGENCE Message from Router-Id: 2 for Router-Id: 0's entries
R2(config-if)#do sh standby brief
P indicates configured to preempt.
|
Interface Grp Pri P State Active Standby Virtual IP
Fa0/0 1 95 P Standby 10.1.123.3 local 10.1.123.23
Fa0/1 1 105 P Init unknown unknown 20.1.234.23
R2(config-if)#do sh ip nat tr
Pro Inside global Inside local Outside local Outside global
tcp 222.222.222.222:61143 10.1.123.1:61143 20.1.234.4:19 20.1.234.4:19
R2(config-if)#do sh ip snat dist
Stateful NAT Connected Peers
SNAT: Mode IP-REDUNDANCY :: STANDBY
: State READY
: Local Address 10.1.123.2
: Local NAT id 2
: Peer Address 10.1.123.3
: Peer NAT id 3
: Mapping List 23
R2 is not the active NAT device here...
R3#sh standby brief
P indicates configured to preempt.
|
Interface Grp Pri P State Active Standby Virtual IP
Fa0/0 1 100 P Active local 10.1.123.2 10.1.123.23
Fa0/1 1 100 P Active local unknown 20.1.234.23
R3#sh ip nat tr
Pro Inside global Inside local Outside local Outside global
tcp 222.222.222.222:61143 10.1.123.1:61143 20.1.234.4:19 20.1.234.4:19
Pro Inside global Inside local Outside local Outside global
tcp 222.222.222.222:61143 10.1.123.1:61143 20.1.234.4:19 20.1.234.4:19
Stateful NAT Connected Peers
SNAT: Mode IP-REDUNDANCY :: ACTIVE
: State READY
: Local Address 10.1.123.3
: Local NAT id 3
: Peer Address 10.1.123.2
: Peer NAT id 2
: Mapping List 23
And the R1/R4 NATed session is still in operation
XYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~ !"#$%&'()*+,-./0123456789:;<=>?@
YZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~ !"#$%&'()*+,-./0123456789:;<=>?@A
Z[\]^_`abcdefghijklmnopqrstuvwxyz{|}~ !"#$%&'()*+,-./0123456789:;<=>?@AB
[\]^_`abcdefghijklmnopqrstuvwxyz{|}~ !"#$%&'()*+,-./0123456789:;<=>?@ABC
\]^_`abcdefghijklmnopqrstuvwxyz{|}~ !"#$%&'()*+,-./0123456789:;<=>?@ABCD
]^_`abcdefghijklmnopqrstuvwxyz{|}~ !"#$%&'()*+,-./0123456789:;<=>?@ABCDE
No comments:
Post a Comment